New Apple operating systems bring security mysteries

Apple’s march toward seamless integration between the Mac, iPhone and iPad worries some security experts who say companies may find it more difficult to prevent data leakage on the devices.

On Tuesday, Apple introduced Handoff, a feature in upcoming iOS 8 and Mac OS X Yosemite that would let a person start a task on one device and complete it on another. For example, an email started on the Mac could be completed later on the iPad.

The ability to perform tasks across devices would work with many Apple apps, such as Mail, Safari, Pages, Numbers, Keynote, Maps, Calendar and Contacts. Developers could build the functionality into their own apps as well.

While certain to please many consumers, the feature would be a concern for businesses, Richard Henderson, a threat researcher for Fortinet’s FortiGuard Labs, said. Companies with liberal bring-your-own-device policies would take the greatest risks.

“There needs to be a concern for data leakage prevention,” Henderson said.

Another potential source of data loss is Family Sharing, which lets family members share calendars, reminders, photos and locations across devices. Again, such apps as calendars and reminders could contain sensitive business data.

If Apple intends to be friendly to businesses, then it should let corporate IT staff turn off these features when the new operating systems are released in spring.

“If not, you probably should have a very, very serious discussion over whether you want to let iOS devices on your network,” Henderson said. “The ability for people to leak data that doesn’t belong to them exists with these new technologies.”

One feature that could prove useful to the enterprise is the extended use of Touch ID, the application that lets a person use the fingerprint scanner on the newest iPhone to unlock the device.

Starting with iOS 8, developers will be able to tap into Touch ID in order to require a fingerprint scan to launch an app or access certain features in the app.

What companies would want is the ability to use Touch ID in enforcing their own policies for unlocking a device or using enterprise apps, Paul Madsen, principal technical architect for identity management vendor Ping Identity, said.

To be friendly to the enterprise, Touch ID would have to be configurable through mobile device management systems, which is what many companies use to control the use of business apps and the movement of corporate data.

While Apple could extend Touch ID for use in MDM systems, “I’ve only heard of the consumer-centric cases for Touch ID,” Madsen said. Those cases have included online banking apps.